General infosec tip: keep your browser add-ons to the absolute minimum you can live with. Add-ons are attack vectors. The more you have - the more at risk you are. And only install the ones you have a reason to trust.
Nah, browsers are sandboxed to absolute shit it is such a pain in the ass to make an extension just to do a phishing attack or to buy the ownership of one to introduce malicious code.
At most an extension with really broad permissions like read/write contents of any page (a fact that is made obvious upon installation) can replace a link to take you to a phishing page to harvest creds, but thanks to SSL and HTTPS it won’t even work without fifty some odd warnings
You live by that and I’ll live by the advice I’ve seen from infosec professionals that recommend as few add-ons as possible due to security concerns. But yes, browsers are getting more secure over time and that’s good.
You obviously shouldn’t install closed source or otherwise shady extensions from dodgy authors you don’t know, but on the whole there is very little they can do that you should worry about.
Most “advice” comes from people who want to sell you something and the infosec industry is mostly a scam to drain B2B procurement budgets plus a few gay furry researchers at defcon and actual malware authors who do something, unless they just write crappy .NET junk.
Worrying about stuff like this in browser is akin to using a VPN on public WiFi to avoid MITM attacks, there’s nothing wrong with it but there’s basically nothing to actually worry about there.
If an add-on is modifying contents of pages it shouldn’t or of the clipboard when it shouldn’t, you would have to give it explicit permission at install time, i.e. “This extension can: Read and Modify Data on all sites you visit: Read and Modify contents of the clipboard.”
Obviously a simple URL redirector for wikipedia requesting access to this data is absurd and would be an immediate red flag. The reason this very thing doesn’t happen more often, is because frankly you’d have to be so computer illiterate to get to that stage that it is much easier to just phish you with basic Facebook profile info for much greater gains.
This is also the reason most “hacks” nowadays are either supply-side or phishing, shit is just too secure, no fun. We should bring back ActiveX.
Plopp@lemmy.world 3 months ago
General infosec tip: keep your browser add-ons to the absolute minimum you can live with. Add-ons are attack vectors. The more you have - the more at risk you are. And only install the ones you have a reason to trust.
LainTrain@lemmy.dbzer0.com 3 months ago
Nah, browsers are sandboxed to absolute shit it is such a pain in the ass to make an extension just to do a phishing attack or to buy the ownership of one to introduce malicious code.
At most an extension with really broad permissions like read/write contents of any page (a fact that is made obvious upon installation) can replace a link to take you to a phishing page to harvest creds, but thanks to SSL and HTTPS it won’t even work without fifty some odd warnings
Plopp@lemmy.world 3 months ago
You live by that and I’ll live by the advice I’ve seen from infosec professionals that recommend as few add-ons as possible due to security concerns. But yes, browsers are getting more secure over time and that’s good.
LainTrain@lemmy.dbzer0.com 3 months ago
I’m an cybersec MSc and an infosec professional.
You obviously shouldn’t install closed source or otherwise shady extensions from dodgy authors you don’t know, but on the whole there is very little they can do that you should worry about.
Most “advice” comes from people who want to sell you something and the infosec industry is mostly a scam to drain B2B procurement budgets plus a few gay furry researchers at defcon and actual malware authors who do something, unless they just write crappy .NET junk.
Worrying about stuff like this in browser is akin to using a VPN on public WiFi to avoid MITM attacks, there’s nothing wrong with it but there’s basically nothing to actually worry about there.
kuberoot@discuss.tchncs.de 3 months ago
I mean, couldn’t an addon just read the password you put into a login field, or send in a request, and send it off to their servers?
LainTrain@lemmy.dbzer0.com 3 months ago
If an add-on is modifying contents of pages it shouldn’t or of the clipboard when it shouldn’t, you would have to give it explicit permission at install time, i.e. “This extension can: Read and Modify Data on all sites you visit: Read and Modify contents of the clipboard.”
Obviously a simple URL redirector for wikipedia requesting access to this data is absurd and would be an immediate red flag. The reason this very thing doesn’t happen more often, is because frankly you’d have to be so computer illiterate to get to that stage that it is much easier to just phish you with basic Facebook profile info for much greater gains.
This is also the reason most “hacks” nowadays are either supply-side or phishing, shit is just too secure, no fun. We should bring back ActiveX.